📆 This is the August 2023 edition of “This Month in WordPress with CodeinWP.”
Hey, WordPress fans.
We hope you had a great July and that, if you’re in the USA, you didn’t have any unfortunate incidents with fireworks. 🎆
Now that the month has officially come to a close, we are back with all of the latest WordPress news and events from the past month.
So – what happened last month?
First off, we got a look at the betas and release candidates for WordPress 6.3, so you should have a good idea of what the next major release will look like when it lands in August.
Beyond that, there were several vulnerabilities discovered in popular plugins, as well as some debate/controversy over WordCamp Dhaka and the WordPress.org recommended hosts page (which just removed SiteGround).
Let’s get to all the news from the past month…
August 2023 WordPress News with CodeinWP
WordCamp Dhaka canceled over corporate influence concerns
WordCamp Dhaka (Bangladesh) had originally been scheduled for August 5th 2023. However, in early July, the event was canceled.
While a cancellation itself isn’t a huge news story, the reason for it makes things a little more interesting.
The event was canceled due to concerns about corporate influence affecting the event and decision-making processes.
In an incident report published on make.wordpress.org, the Community Team said the following as to the exact reason:
“…there were observable actions from local community members to influence decisions that would benefit specific individuals or companies. When this influence did not immediately lead to their desired results, the individuals aimed to undermine the organizing process and event success.”
Fair enough. But what made things a little murkier and generated a lot of discussion is that the Community Team chose to not publicly share the name of the company that was attempting to influence the event.
This led to a lot of discussion in the comments of that make.wordpress.org post, with people sharing persuasive thoughts on both sides of the discussion.
Personally, I think that transparency is important, and it’s valuable to know the name of the company (even if the names of individuals involved are kept private), especially if the evidence was so persuasive as to cancel the event completely.
But at the same time, I do understand the reasoning behind the decision to withhold all names.
If you want to learn more, WP Tavern also has a post on the subject, including some more comments from individuals in the WordPress community.
Vulnerabilities in several major WordPress plugins
July saw the discovery of vulnerabilities in several large plugins. All of these vulnerabilities have since been patched, but it’s important to keep up with the news and make sure you’re using the latest versions on your sites.
Let’s start at the beginning and work through them chronologically by their disclosure times…
We begin in late June, when WPScan researchers discovered a vulnerability in the Ultimate Member plugin that was being actively exploited by malicious actors.
Ultimate Member promptly released version 2.6.4 to fix the issue. However, researchers found that malicious actors could still circumvent the patched version. On July 3, Ultimate Member was able to fully fix the problem in version 2.6.7. If you’re not using at least Ultimate Member 2.6.7, you should update immediately to protect your sites.
Next up – on July 6, Calvin Alkan disclosed a vulnerability in MalCare (which also affected BlogVault and WPRemote, because those plugins used the same code). MalCare fixed the issue two days later on July 8.
If you’re not using the latest versions of MalCare, BlogVault, and WPRemote, you should update it immediately. There is no evidence that the vulnerability was being actively exploited, though.
A few days later, there was a vulnerability discovered in the popular All-In-One Security plugin. The plugin was discovered to be storing user passwords from login attempts as plain text in the security audit log.
This meant that site admins could see the plaintext passwords of other WordPress users on their sites. While this didn’t really affect WordPress itself (because the admin already has the ability to change users’ passwords), it does mean that a malicious admin could use those credentials to try to access other sites where the users might have accounts.
The All-In-One Security team fixed this issue in version 5.2.0, which was released on July 10.
Lastly, on July 25, Patchstack disclosed multiple high severity security vulnerabilities in the popular Ninja Forms plugin. The vulnerabilities were discovered on June 22 and Ninja Forms had patched them on July 4.
There is no evidence that these vulnerabilities were being actively exploited at the time of their discovery. However, if you’re not using at least Ninja Forms 3.6.26, you should update immediately to protect your site.
You may also be interested in:
- WordPress 6.3, WordCamp Dhaka Cancelled, Plugin Vulnerabilities 🗞️ August 2023 WordPress News w/ CodeinWP
- Relive WordCamp US, WordPress 6.3 Out, Twenty Twenty-Four Time? 🗞️ September 2023 WordPress News w/ CodeinWP
- ManageWP.org Closed, Astra News, #WCEU 2021 Online, Unsplash Plugin 🗞️ August 2020 WordPress News w/ CodeinWP
That sums up our August 2023 WordPress news roundup. Anything we missed?
Don’t forget to join our crash course on speeding up your WordPress site. Learn more below:
Layout and presentation by Karol K.